General

Malware Config

Signatures

Files

• Iridium (1).rar

  .rar
• IridiumGhost.exe

  .exe windows x64

  952ff9a18e13f4007ec39934a2f13cb3

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Imports

  kernel32

  GetConsoleCursorInfo

  GetSystemTimeAsFileTime

  LocalAlloc

  LocalFree

  GetModuleFileNameW

  GetProcessAffinityMask

  SetProcessAffinityMask

  SetThreadAffinityMask

  Sleep

  ExitProcess

  FreeLibrary

  LoadLibraryA

  GetModuleHandleA

  GetProcAddress

  user32

  UpdateWindow

  GetUserObjectInformationW

  GetProcessWindowStation

  GetUserObjectInformationW

  comdlg32

  GetOpenFileNameA

  advapi32

  CryptEncrypt

  shell32

  ShellExecuteA

  ole32

  CoInitializeEx

  oleaut32

  SysFreeString

  d3d9

  Direct3DCreate9

  ws2_32

  WSACleanup

  crypt32

  CertFindCertificateInStore

  wldap32

  ord32

  normaliz

  IdnToAscii

  winmm

  PlaySoundA

  imm32

  ImmSetCompositionWindow

  ntdll

  NtReadVirtualMemory

  wtsapi32

  WTSSendMessageW

  Exports

  Exports

  �M)��SU�,������w˹�Bk�G��T���a�2��~0�yo��(M�q)�M���ɗ���|�N2�k�/��� ܀�
  `?M|���15;�f,��Q-�~hZ��i����e��L�C2z�Z2�#Fu?��`�`��_ގ����~>Zp?c4�t{3���4����6G�7�*Bl�!�G!��M�:���0�a�IM����_���gxW�T8Gr���k��
  �ei�|��>#6�=^���k�Oe������|^m�����$ti���pЖ(��F�μ=��]{��
  �JB!�R�N�)ҫ"~�^�6�#���&5�M��)-��==�m�v����>�����A��Đv‘�=� Qn�xqg�i6�h��Cz��"��=����=6Pm �2Cu7����ً�����C��w���X�%�y�]a1�Z�;���+&������;J��;��r�,n@ݎj" �F��sI�i\+ʴ�CM/��}c-l$fa�H(�H��GS�AB �]�5�-ÏBU]�{ľ�pi�rRIqe�����P ���M(0wI�{�>�J����9� f�n�P�7o�R��~>G�2C'�`v��t�65�=�]n2�V�J9wR��R�6�,�!8Ӥ4�E�1t�Q�s~92Q�o��#��.��� ۞�ԨH�+�sb�!�X�2=/��C��w}��Y[6��&'Y,^b�G��Z�!��ٕk(��E���/����*��I����)���%�[�X��'j��k�T�W:u}�
  #��n��U�W}6|�Dz6�g��ooo �L��"o�h��� �ˁ�����I|Kc���� -�;��` ���q)�@���q����GQ�����_lA&���%:����h������PD90�.����@�gi|&%��r��䙹�ƶ�9�U� �+��I�®�5��5�9l��w�o"�W�q?m=�N�/�=��v�#��5hZ9,Zk�� b[e3�!����
  F��2[�Ѿ�o�"H��-8�X�^M�et�@l�"�:B�΃���ǰ�ɥhd��q��m�9b�"Gv�+�*ȩ( ���5��B�Ӝv�a�c��Q��Û��e�{��$"�������F^逥�~e�4��e��MGְ�� yݦ��,�c���7��-x���ׅyǿ`&��[������_S�*��<l�!`�nT������O��-����p�����2��H�Ή}�D����8��<(�Һ��D�>k/9�O��q)ċ�)�!��~��P�Q4�`�Nm�����k��$K��LE���97P]�uk��䚥�X�z�������[�������έ.6��=�m� ������@�Z������^�'��� Ov���8#)r8��S�Rf���3(_��*Q+�=6�\�iXK�fJ-��U����Ѽ�t��?�(�d�8d��=
  b��6DZ�o�GY���s8���e� `3o�������� �}?s����|C1U��>o9�/dd���6�g�J�u4�O�ͨ���w]n|3�ӀV���������bo��HF��hO��SNm>j��u�^7��aw���Kᔥe����I�|D��JH�X)_ó��W�?�>�{E���>��WD+��v�ے4�BC]�8���6�1fà�C�(H�+!Ԅ��w�Mu�LOj�A��0b��z�Z�R-Msw�����harQ�P��N@�����F�i�+��#^t��-�t"�.F�Q��ۣ�g ��\<�ţ����i��&"&��"�̷��"�<�r�ۦ�ˠ���lK<Q�#�V+���(Z��X4n��������a'�m'i��Qm��q����@�l͐h�U����r஽$~��#5���q��u�"�����ILp!5��[��7�xR�F��5gT]uT�o!88��F��>�-�Ǹ8P�Z�����\��>����=ߌ���[�ڃ��� ���Hy�o Ȓ���CC�._���L9���M���j��1�����;4<z�`I���jH��D����7QJ<���Y��6`z�7� �56���9�J �3f�`6�9��S��纐F�<{��T�^\*��\k���^v��� ��O��
  r �%�҈�4W+��;:��>��3f�M-+7��\e��'�p�Pi.�����S�A�NA���i/Z�<�i4�9<�g�n�����k[�%�:Ռ,'b���v>ڲ�j ���f��h�{�f<�#���p�e�/N��x�­��j���i:������?2f8ݣ�'�q�����y ���F��/��?�7�\�^���� j˓��;x�������I�ላ��S����4,2�a�j�;��������X��#���q��h#Ϫ��`��q��V�G�*�S�y�2w̡���p̫ 5�ol�� �O�4;�w��F����@��JQv>�0���>4�j~�]�:"n���-�]ft���������� _��
  @؈J^��+ܴ-(܅�+.e��1�˚Ƌh�{I�k���XqBp�N,��ľhF�o�k�K��{|�г�Qy�3�2!��*֐��/.,b"��
  \J�bͿ5�S�F�-�I���0�&����r���p~Um���K|����mQ�ͤ�y'e)���g�Oq�d! �UG +�<��E\��-�n�,�kq���bWJJ�jϒnA�COx���hJ\��X��rf[`�h��nK/?-�0��,��H9�|ZG�;O�e�z�)��bY��@3r��[�Fm�.���8*��|H�1��KύY
  m�h��_  �WЌU�Oo�[�;�r
  i�*���Ӄ�K3���]��nT;n4��I�u�����p�Djm��Id�~�N@NL�t��eP'�0 � �Y��2S���"� �jZ����C�E�}Z�7���0U��;�����-�����7p�t��_ F�~�˒�܋�P��>m��*^�q�ME���9 Fӛ\G� �Omas&��w�՞QX���(@ K4���I �}3�ٚ�j}@닂(�����:��XO�<)�*�薪[y��N��ѹ�Ѵ�؊��9��#����='��e��V�z��K�f�Ӯ(�AlIESA=�42Gs٤s�~?��=��v�rc���j� kbTf���S�c�&�a2]���WL $�Q��c�}d1�

  Sections

  .text

  Size: - Virtual size: 1.2MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: - Virtual size: 513KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: - Virtual size: 2.7MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .pdata

  Size: - Virtual size: 49KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  _RDATA

  Size: - Virtual size: 148B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .ird0

  Size: - Virtual size: 5.9MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .ird1

  Size: 9.5MB - Virtual size: 9.5MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 1024B - Virtual size: 850B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

• IridiumPatcher.exe

  .exe windows x64

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Sections

  Size: 3KB - Virtual size: 3KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  Size: 1024B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 512B - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  Size: 512B - Virtual size: 384B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 512B - Virtual size: 488B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 512B - Virtual size: 40B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  .idata

  Size: 1024B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 512B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .themida

  Size: - Virtual size: 9.2MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .boot

  Size: 5.7MB - Virtual size: 5.7MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

• Kangaroo.dll

  .dll windows x64

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Sections

  Size: 11KB - Virtual size: 23KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  Size: 2KB - Virtual size: 9KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 1024B - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  Size: 1024B - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 512B - Virtual size: 480B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 512B - Virtual size: 124B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  .idata

  Size: 512B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 512B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .themida

  Size: - Virtual size: 10.9MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .boot

  Size: 6.3MB - Virtual size: 6.3MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ